During June 2021 Google addressed Google Workspace Admins for an important update on Drive security and file sharing.

Many Admins would have received an email from Google Operations Team inviting them to visit the Alert Center: this is a section of the administration console which displays a list of alerts, each with a short description, affecting the domain in use.

In particular, by entering the Alert center, beyond other notifications, Admins will find a security update concerning sharing via link files and folders in Google Drive.

Let’s take a step back and understand how link-sharing works, before getting into detail of this upcoming security update.

Sharing Google Drive files and folders

Google Drive is the space for storing and sharing documents of Google users, both private and corporate, meaning the space of an organization that chose Google Workspace as a productivity and collaboration platform.

As you surely know, it is possible to share files stored in Google Drive with other users. To do so, we can proceed in several ways, one of which is link-sharing. As explained in this support article, it is possible to send a link to a file by selecting the file fo be shared and clicking on Get link. We are able to decide to share the link with specific users or publicly and which permissions do users have among Viewer, Commenter and Editor.

A similar procedure allows us to share not only a single file, but an entire folder and its content: read here how to do so.

In this case as well, we can get the link of the folder and send it to those who we want to be able to access its content. As a first step, this setting will apply to all files existing inside the folder: we will then have the possibility to change single permissions on files.

All of these operations can be modified during time. We just have to verify, especially in the case of a folder shared publicly, that contents inside are those we want and change permissions, in case it is needed.

Security update for link-sharing

Going back to the notification we were examining before, it is intended to make file sharing from Google Drive more secure and will be applied on September 13t, 2021.

In order to improve sharing security, a resource key will be included in the shared file’s URL: this modifies the link of the resource, being it a folder or a document. We should therefore make sure to update these URLs in case they are published in documentation or internal sites. As far as access is concerned, users who have direct access or have already viewed the files will continue to do so. Instead, other users may need to request access. More detailed information can be found here.

The notification invites us to choose how to apply the update at an organizational level. We can apply it with no possibility of removing it or letting users remove it on specific files (this is the default option that will be set for Non-educational organizations which do not operate a choice). Otherwise it is possible to remove the security update, even if this option is not recommended by Google.

Admins can opt for one or the other option by July 23, 2021: end users will get notified of impacted files and will have the chance or choosing to apply the update by August 25, 2021.

Update 29/07

These days Google is sending a notification to Gmail and Google Workspace users owning files shared via link.

The link at the end of the email will guide us to a list of “Impacted files” where we can choose if removing the update and not changing the URL so that the level of access will not change. However this option is not recommended by Google unless it is for publicly shared files intended for a potentially new audience. Users that already viewed the files will still have access.

To recap the security update and its implications, we refer to the support article.